Hello,
My service provider has a postgres database, And i want to redo my website with php and allow my clients to login with sessions and go to their page ( i am a graphic designer/ web developer, clients can log in to download stuff like their business cards , logo's, ect ). The service provider is telling me that if I am allowing my clints to login (login and pass in table in database) that their is a huge security breach, and he can be hacked. He says the only way to do it is with ssl and that I have to buy some sort of ticket/pass/something to get it.

I am of the opinion that

a. he doesn't know what he's talking about

b. he's paranoid and doesn't know enough about what he has to feel confident. ( he's fairly new at this as well 2-3 years )

And that I should probally go with another service provider who won't give me these hassles. But I'm new at this, I know that at school when learning this, we didn't have to go through this. and were told that you only need ssl if you are using credit cards or other sercure information. I just want some feedback from everyone please.

So You got you're own userlist with passwords in you're own table?
OK, everyone does that, including me.
There is no extra risc for you're host to be hacked because you allow users to login that way.
This forum does it exactly that way!

You're right about when using SSL, I would only use it when dealing with private information that may not end up in the wrong hands (credit cards, stuff like that). This also because it is a little slower.

You're host has no reason the be extra scared about being hacked.

Switch to another host?
You could, but I would only do it if you're not satisfied with the service, and then I mean the actual hosting and the support.

Firstly, yes it is a security breach because it can be hacked. But whether it's that much of a security breach for you to justify using SSL is up to you. For credit card etc it's a must otherwise we'd be over run with fraud. For simply accessing a site which isn't really interesting to anyone outside the realm of that site (ie a hacker), it's fine! These forums, and most other sites just use normal POST method (not get otherwise the password is clearly visible in the url).

What I would recommend though is not to store the plain text format passwords, but the md5() version of it. md5() encrypts it using a one way algorithm. When a user submits their password, you md5() it and then see if the result matches what's in the database.

This is why when you reset passwords on (most) other sites, they make up a new one for you. They can't tell you what yours was originally because they don't know. You can't decrypt md5().

md5() is just a function that converts a string into a 32 character string. Simple! Just put in a string eg md5("mystring") and it'll come out as some weird code which you store. When the user enters their password, md5 it and see if it matches the one stored!

Somewhere on this forum there is a function for mysql_password wich I am using to encrypt my passwords (in php itself, I don't use the function in the actual query's)
Any reason why I should be using md5 above mysql_password or visa versa?